Cite this
Data Security, Privacy and Institutional Review Board (IRB) Approval
EvaluateUR is intended to be used by a program or institution to more fully understand the impact of its undergraduate research program and to better support the participants within the programs. The data are collected and stored by the SERC office at Carleton College which does not use the data itself in any way other than to support the individual programs that subscribe to the service. Since these activities do not intrinsically involve "contributing to generalized knowledge" (e.g. drawing conclusions that apply beyond the program itself, disseminating the results to a wider audience, or otherwise engaging in systematic research) they do not require oversight by an institutional review board (IRB) because they are not 'research'.
Should you want to use the EvaluateUR data as part of any systematic investigation designed to develop or contribute to generalizable knowledge (e.g. you plan to publish a paper, or present at a conference) you must obtain approval from your local IRB. The approval process will need to be completed (and any required consents collected) before any data are collected. Typically use of EvaluateUR in this way is considered 'exempt' and many IRB have expedited mechanisms for these cases.
Information about Data Security
Data collected from the EvaluateUR are kept private except as needed to support the mechanics of the program. Our security and privacy processes are detailed below:
Data are collected from students and their mentors through a series of online forms hosted within Serckit, an online content management system developed and managed by the SERC office at Carleton College. All data in Serckit are stored in facilities managed by Amazon and so physical security of the data is ensured by Amazon's security policies detailed here: https://d0.awsstatic.com/whitepapers/aws-security-whitepaper.pdf
All interactions with Serckit systems take place over secure, encrypted network connections via TLS. All data are stored, both in the primary database and all backups in encrypted form.
Direct access to the underlying Serckit servers is only available, via private key authenticated ssh, to SERC system administration staff who need access to maintain the servers. All other access is via Serckit's web interface, mediated by Serckit's authentication and access infrastructure. This system ensures access to the student and mentor data is only granted as needed to support the program. Specifically:
- individual students have access to their mentor's responses as that is a core element of the program
- likewise individual mentors have access to their student's responses
- The designated program administrator has full access to their program's information in order to manage and oversee the program
- Jill Singer, EvaluateUR Director, and the SERC staff at Carleton College have full access to the system and data solely to support local program administrators in trouble-shooting their local use of the system. The EvaluateUR program and SERC do not otherwise access or make use of any data collected from students and their mentors in any way.
Data are only stored in the system for one year. This is intended to support use by the local program during the research process and immediately after the research program when the local program administrator may need to access the data for program evaluation purposes. All student/mentor data is removed from the systems within one year after a student/mentor pair starts their research process. At that point it is no longer stored in Serckit and no longer available to the EvaluateUR project or SERC. In the event that a program or institution wants to retain their data the site administrator should download a copy of the data before it is removed from Serckit.
Serckit has been in operation since 2002, hosting over 150 grant-funded websites. The system manages the authentication for over 10,000 user accounts and hosts over 100,000 web pages for 5 million visitors each year.